CHAPTER - 13

INFORMATION SECURITY

FUNDAMENTAL

INFORMATION SECURITY

Tasks of guarding digital information, which is typically processed by a computer (such as a personal
computer), stored on a magnetic or optical storage device (such as a hard drive or DVD), and
transmitted over a network spacing.

COMPONENTS OF INFORMATION SECURITY

LAYER Description
PRODUCT The physical security around the data. May be as basic as door
locks or as complicated as intrusion-detection systems and
firewalls
PEOPLE Those who implement and properly use security products to
protect data.
PROCEDURE Plans and policies established by an organization to ensure that the
people correctly use the products.
 Components of Information Security

INFORMATION ASSETS

The foundation for security is assets that need to be protected. Assets may be people, things
created by people or parts of nature. In the area of information security, the assets are often
labelled as information assets, and enclose not only the information itself but also resources that
are in use to facilitate the management of information as depicted in Figure 1.

Figure 1: Information assets consist of information as well as resources to facilitate the management of
information

It is the information that is the primary asset, and IT and other resources are tools to facilitate
information management. Resources have hence an instrumental value in relation to the information (of
course, information may be highly integrated with resources that manage the information, e.g. in a
database).

The term information security expresses therefore a more holistic view than IT-security, which manifests
a more, technical view since technical resources are focused. As it will be seen in Figure 2, IT is defined
as digital tools for managing information.
 Figure 2: A classification of resources for information management

A more exhaustive definition of IT is : Information technology (IT) is a concept that refers to digital
technology, i.e. hard- and software for creating, collecting, processing, storing, transmitting, presenting
and duplicating information. The information may be in the shape of e.g. sound, text, image or video,
and IT mean hence a merging of the traditional areas of computers, telecom and media and duplicating
information. The information may be in the shape of e.g. sound, text, image or video, and IT mean
hence a merging of the traditional areas of computers, telecom and media.

Basic Principle of Information Security

Definitions of the CIA triad may differ depending on what kind of assets that are focused, e.g. a specific
computer/IT system, information system or information assets as defined above. Regarding information
assets, the three concepts can be defined as follows:

– Confidentiality: Prevention of unauthorized disclosure or use of information assets.

– Integrity: Prevention of unauthorized modification of information assets.

– Availability: Ensuring of authorized access of information assets when required.

Figure 3. A graphical description of the CIA triad – Confidentiality, Integrity and Availability

Threats against Information Assets

Information assets may be exposed for threats. There are a number of definitions of threat in the field of
computers, IT and information. Here are a few examples:

‘…an indication that an undesirable event may occur’

‘…any potential danger to information or systems’

Threats are potential undesirable actions or occurrences, that performs or causes by actors, by human
created artifacts or natural phenomena and which are supposed to impair the CIA triad of current
information assets.

Human threat agents may be intentional or accidental. Terrorism, information warfare, sabotages and
intrusions are examples of intentional threats, while carelessness, mistakes and ignorance are
unintentional threats.

Non-human threats, i.e. artifacts and natural phenomena, may be floods, fires, earthquakes and
thunderstorms. Artifacts may function in undesirable ways, and since humans create artefacts, threats
often have a combination of underlying threat agents. That is, humans may construct, implement,
configure or handle artifacts in inappropriate or destructive ways, for example people who creates
destructive IT-artifacts as viruses and worms.

Physical threats are threats that appear in a physical manner, like floods, thefts and fires.

Non-physical threats, or logical threats, are often connected to software as viruses, computer intrusion
and user’s software mistakes. Such threats will mostly affect non-physical assets, but may affect physical
assets as well.

Sometimes there are reasons to expect that actors, artifacts or natural phenomena that are not yet
existing, or not for the moment performing actions or causing occurrences may do so in the future. They
can be apprehended as potential threats.

INCIDENTS AND DAMAGES

While a threat is an assumption that an undesirable event may occur in a future, the term incident
refers to the actual occurrence of such event. In other words, a threat may be realized as one or several
incidents. A threat may still exist after a realization, since underlying causes still may have capabilities to
realize the threat several times. The probability for realization will however often decrease since people
often increase the protection against realized threats. Like threats, an occurred incident may be
unknown. Such incidents may be discovered after a while or remain unknown. Incidents that are
realized by unknown threats are unexpected incidents.

Incidents may lead to consequences. If a consequence affects the CIA triad of information assets
uncontrolled and negatively, it is labeled as damage. There may be incidents that not impair the CIA
triad, for example a virus that infects an information system without causing any damage. The infection
is still an undesired event that probably happens out of the control of the system managers.
Figure 4 shows the relationships between threat agent, threat, information asset, the CIA triad, incident
and damage (the definitions of threat and assets have been removed from the illustration to make the
graph more simple).

Figure 4. The concepts incident and damage are added to the growing graph

A definition of damage may be extracted from the objectives of information security: 3

Damages are uncontrolled impairs of the CIA triad of information assets.

Practically, there may be many kinds of damages. Information can be changed in an uncontrolled and
undesirable way, information may disappear or be read by unauthorized persons and information and IT
artifacts may be unavailable for authorized persons.

Examples of Security Requirements for Different Applications

The exact security needs of systems will vary from application to application even within a single application.
As a result, organizations must both understand their applications and think through the relevant choices to
achieve the appropriate level of security.

An automated teller system, for example, must keep personal identification numbers (PINs) confidential, both
in the host system and during transmission for a transaction. It must protect the integrity of account records
and of individual transactions. Protection of privacy is important, but not critically so. Availability of the host
system is important to the economic survival of the bank, although not to its fiduciary responsibility. As
compared to the availability of the host system, the availability of individual teller machines is of less concern.
 A telephone switching system, on the other hand, does not have high requirements for integrity on individual
transactions, as lasting damage will not be incurred by occasionally losing a call or billing record. The
integrity of control programs and configuration records, however, is critical. Without these, the switching
function would be defeated and the most important attribute of all—availability—would be compromised. A
telephone switching system must also preserve the confidentiality of individual calls, preventing one caller
from overhearing another.

Security needs are determined more by what a system is used for than by what it is. A typesetting system, for
example, will have to assure confidentiality if it is being used to publish corporate proprietary material,
integrity if it is being used to publish laws, and availability if it is being used to publish a daily paper. A
general-purpose time-sharing system might be expected to provide confidentiality if it serves diverse
clientele, integrity if it is used as a development environment for software or engineering designs, and
availability to the extent that no one user can monopolize the service and that lost files will be retrievable.

ETHICS IN COMPUTER SECURITY

1. Thou shall not use a computer to harm other people.

2. Thou shall not interfere with other people's computer work.

3. Thou shall not snoop around in other people's computer files.

4. Thou shall not use a computer to steal.

5. Thou shall not use a computer to bear false witness.

6. Thou shall not copy or use proprietary software for which you have not paid.

7. Thou shall not use other people's computer resources without authorization or proper compensation.
8. Thou shall not appropriate other people's intellectual output.

9. Thou shall think about the social consequences of the program you are writing or the system you are
designing.

10. Thou shall always use a computer in ways that insure consideration and respect for your fellow
humans.
Questions

1. What is information security?

2. List various components of information security

3. What are information assets?

4. What is ‘CIA’?

5. List various ethics in computer security?